April, 2014

| |

Office 365 ADFS Proxy Error Event ID 364

Posted 8 months ago

by Mohamed Marzouk [MSFT]
- 4 Comments
Symptoms:
The environment contains two ADFS servers implemented in the internal network and two ADFS Proxy servers implemented in the DMZ network.
When testing ADFS functionality from the internal network where sts.domain.com points to the NLB of the ADFS servers in the internal network the user can access Office 365.
When testing ADFS from the Internet or from the DMZ the ADFS Proxy returned the following error:
--------------------------------------------------------------------------
Error:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 25b51e4b-a68d-47d6-8fc7-ee5a56337ed4
--------------------------------------------------------------------------

The following snapshot shows the error:

When checking the event viewer on the ADFS Proxy servers the error Event ID 346 were logged several times:
--------------------------------------------------------------------------
Event id 364
Encountered error during federation passive request.
Additional Data
Exception details:
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
-----------------------------------------------------------------------
The following snapshot shows the error in the event viewer:

Reason:
ADFS Proxy configuration was fine as well as the certificate. However after troubleshooting the error the cause of it was due to time change.
The internal ADFS servers synchronizing the time with the Domain Controllers (DCs), and there were 20 minutes time difference between the ADFS proxy servers and the ADFS servers.

Solution:
Reset the time on the ADFS proxy servers to match the time on the ADFS servers.
Office 365 Hybrid Configuration Error: Subtask Configure execution failed: Configure Mail Flow has thrown an exception

Posted 8 months ago

by Mohamed Marzouk [MSFT]
- 5 Comments
Symptoms:

When running Hybrid Configuration Wizard you may receive the following error:

Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Mail Flow Execution of the New-SendConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An Active Directory Constraint Violation error occurred on Domain_Controller_Name. Additional information: A value for the attribute was not in the acceptable range of values. Active directory response: 00002082: AtrErr: DSID-03151816, #1: 0: 00002082: DSID-03151816, problem 1005 ‎(CONSTRAINT_ATT_TYPE)‎, data 0, Att 811c7e35 ‎(msExchSmtpTLSCertificate)‎:len 552 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand‎(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_13_2014_7_57_9_635329726296799568.log

In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing New-SendConnector cmdlet.

The second one indicated that the response is coming from Active Directory but so far is not useful.

The third shows that A value for the attribute was not in the acceptable range of value.

The forth part shows ‎ (msExchSmtpTLSCertificate) ‎:len 552.

The following snapshot shows the error:

Troubleshooting:

The next step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:

04/13/2014 07:57:39]    INFO : Task='Configure Mail Flow' Step='Configure' START

[04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces {smtp:TENANT_NAME.mail.onmicrosoft.com;1} -SourceTransportServers {SERVER_NAME} -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName 'From your Certificate Issuer and Subject Fields' -CloudServicesMailEnabled: $true -Fqdn $null START

[04/13/2014 07:57:39]   ERROR : System.Management.Automation.RemoteException: An Active Directory Constraint Violation error occurred on DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.

                              Active directory response: 00002082: AtrErr: DSID-03151816, #1:

                                             0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552

[04/13/2014 07:57:39]    INFO : Session=OnPrem Cmdlet=New-SendConnector FINISH Time=296.8075ms

[04/13/2014 07:57:39]   ERROR : Subtask Configure execution failed: Configure Mail Flow

                Execution of the New-SendConnector cmdlet has thrown an exception.



From the above log file we have some useful details:

1.      We have the cmdlet that caused the error New-SendConnector.

2.      We have the same attribute (msExchSmtpTLSCertificate):len 552

3.      And we have the famous error of the cmdlet has thrown an exception.

So let’s try to execute the cmdlet from Exchange Management Shell, check the below snapshot:

The error returned in the snapshot:

An Active Directory Constraint Violation error occurred on YOUR_DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.

Active directory response: 00002082: AtrErr: DSID-03151816, #1:

    0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35

(msExchSmtpTLSCertificate):len 552

First thing to notice from the snapshot and the log file that the switch –TLSCertificateName is using two fields from the certificate:

-        Issuer: this field shows the name of the Certificate Authority (CA) who issued the certificate, and as you can see Comodo has a very long name compared with other CAs.

-        Subject: this field shows information like Organization (O), Country (C), Common Name (CN). And again as you can see from the marked field in the snapshot the customer was using a very long name.

After searching I found this article: http://support.microsoft.com/kb/2860844

The KB explains the cause of the problem as:

“This issue occurs if the value of the rangeUpper attribute for the TlsCertificateName parameter contains more than 256 characters. Certificate names can't have more than 256 characters.”

The article also indicates that this problem has been fixed in Exchange 2013 Cumulative Update 3 (CU3), in this environment I’ve used Exchange 2013 with Service Pack 1 as the Hybrid Servers, it seems that the fix is not included in SP1 because checking the rangeupper limit attribute I found it as the old value 256.

To check the rangeupper limit value, run the following command:

dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

The following snapshot shows the result:

Solution:

The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field.

The only remaining option is to modify the Schema manually and change the rangeupper limit to a higher value.

The following steps show how to modify the attribute using ADSIEDIT:

1.      Use user account that member of Schema Admins and Enterprise Admins.

2.      Open adsiedit.msc

3.      Right click ADSI Edit and click on Connect To.

4.      Select “Well known Naming Context” and from the drop down menu select “Schema” as the following snapshot:

5.      Browse to CN=ms-Exch-Smtp-Tls-Certificate, open the properties and scroll down to rangeUpper as the following snapshot

6.      Click Edit and enter the new value 1024, as the following snapshot:

7.      Enforce the replication by running repadmin /syncall from the command prompt.

8.      Verify that the rangeupper limit has been increased by running the following command:

dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper

Check the following snapshot for the result:

Rerun the Hybrid Configuration Wizard to complete the configuration
Office 365 Hybrid Configuration Error: Unexpected Result from Windows Live InvalidUri InvalidUri

Posted 8 months ago

by Mohamed Marzouk [MSFT]
Symptoms:

When running Hybrid Configuration Wizard you may receive the following error:

The wizard did not complete successfully. Please see the list below for error details.

Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Organization Relationship Execution of the Set-FederatedOrganizationIdentifier cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An unexpected result was received from Windows Live. Detailed information: "InvalidUri InvalidUri: Passed URI is not valid.".". at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand‎(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_8_2014_10_17_44_635325490647602241.log.

In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing Set-FederatedOrganizationIdentifier cmdlet.

The second part is not really helpful saying that the Windows Live responded with unexpected result and InvalidUri. Very helpfulJ.

The following snapshot shows the error:

Troubleshooting:

The next logical step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:

INFO : Session=OnPrem Cmdlet=Set-FederatedOrganizationIdentifier -AccountNamespace 'DOMAIN_NAME' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled: $true -DefaultDomain 'DOMAIN_NAME' START

[04/08/2014 10:18:01] ERROR : System.Management.Automation.RemoteException: An error occurred while attempting to provision Exchange to the Partner STS. Detailed Information "An unexpected result was received from Windows Live. Detailed information: "InvalidUri InvalidUri: Passed URI is not valid.".".

[04/08/2014 10:18:01] INFO : Session=OnPrem Cmdlet=Set-FederatedOrganizationIdentifier FINISH Time=2093.6758ms

In the log file the main interesting part is the cmdlet which caused the error:

Set-FederatedOrganizationIdentifier -AccountNamespace 'DOMAIN_NAME' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled: $true -DefaultDomain 'DOMAIN_NAME'

The second logical step is to try to execute the cmdlet from Exchange Management Shell, check the below snapshot:

The error in the snapshot indicates the same that “unexpected result was received from Windows Live “InvalidUri InvalidUri”

Solution:

Microsoft Knowledge Base Article (KB 2615183): http://support.microsoft.com/kb/2615183 mentioning that the cause of this error due to:

“This issue occurs if the domain name for your organization is blocked. A domain name may be blocked in Windows Live for the Windows Azure Active Directory (Windows Azure AD) authentication system if the domain name is reserved or if it doesn't meet certain requirements.”

To solve this problem you will need to contact Office 365 support, open service request with the error details and domain name and they will remove the domain names from the blocking list.

Once the domain removed from the black list, run the HCW wizard again to complete the Hybrid configuration.

Other Symptoms:

You may also receive the following error:

Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Organization Relationship Execution of the Add-FederatedDomain cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Unable to reserve the URI "DOMAIN_NAME" for the domain "DOMAIN_NAME" on application identifier "000000004C022B11". Detailed information: "An unexpected result was received from Windows Live. Detailed information: "InvalidUri: Passed URI is not valid.

In the above scenario the error was with the Add-FederatedDomain cmdlet and in this case the domain name was in the blocked list.